Presentation is loading. Please wait.

Presentation is loading. Please wait.

LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.

Similar presentations


Presentation on theme: "LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security."— Presentation transcript:

1 LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual Dec. 2006 Page(s):289 - 300 Presented by Kiet Vo

2 PolyUnpack Summary  “Modern malware often hides the malicious portion of their program code by making it appear as data at compile time and transforming it back into executable code at run time.”  In this paper the authors discuss a technique for automating the process of extracting the hidden- code of this type of malware.  A tool called PolyUnpack, can deobfuscate/decrypt the hidden code for later analysis.

3 PolyUnpack Appreciative Comments  The author has convinced well that PolyUnpack can detect more unpack-executing malware when compared with other dissemblers like PEiD and perform hidden code extraction efficiently.  One short coming in evaluating how well PolyUnpack assists malware reverse engineering and analysis is that the experiment was not knowing the inner workings of AV tools to see how well it helps the AV tools. The authors even planned to know the inner workings of several AV company labs but because of trade secrets, this was not possible. So the experiment was carefully planned and well thought.

4 Critical Comments  The paper does not say how the analysts manually unpack a given malware instance.  No comparisons made with other popular AV tools like Norton Antivirus as more users would get affected.

5 PolyUnpack How efficient is the tool?  I like this new feature of detecting multiple unpacking:  Some instances of unpack-executing malware complicate the process of extracting their hidden code by having the unpacked code perform additional unpacking.  Think of it as an executable file, inside another executable file. Which can be inside another executable file.  When executed, the ‘outer’ executable will unpack the contents of the inner executable into memory and execute it.  PolyUnpack used to acquire the innermost body of unpacked code, until the extracted code produces no unpacked code. 1. The hidden code is extracted into an executable version. 2. The new binary is then tested for unpack-execute behaviour. The first 2 steps are repeated until innermost most of the hidden code is extracted.

6 PolyUnpack How accurate is the tool?  PolyUnpack is evaluated using more than 3400 known malware binaries.  PolyUnpack identifies more unpack executing programs than PEiD ( a popular tool for detecting unpack executing programs).  PolyUnpack found 1754 samples to be unpack-executing and extracted their hidden code.  PEiD identified only 1482 samples.  Extracting without knowledge of how the runtime code is generated.  Efficiency: Manual extraction of hidden code takes more time:  Manually unpacking a given malware instance takes between 15 and 60 mins.  The average time PolyUnpack performs for each malware instance is less than 20 mins; over 60% took less than 5 mins.

7 PolyUnpack Questions  With the current increase of new unpack-executing malware. Do you think PolyUnpack would help other Antivirus software reduce false negative results or detect all unpack-execute malware?


Download ppt "LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security."

Similar presentations


Ads by Google